IETF Logo Mail Archive

Re: [Rats] [EXTERNAL] Re: EAT IANA registry

Jeremy O'Donoghue <jodonogh@qti.qualcomm.com> Thu, 28 November 2019 09:05 UTC

Return-Path: <jodonogh@qti.qualcomm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD5A312008C for <rats@ietfa.amsl.com>; Thu, 28 Nov 2019 01:05:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com header.b=pESX4DVT; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=qualcomm.onmicrosoft.com header.b=BNEqMFSF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id opiYzwdhiFjo for <rats@ietfa.amsl.com>; Thu, 28 Nov 2019 01:05:19 -0800 (PST)
Received: from alexa-out-sd-02.qualcomm.com (alexa-out-sd-02.qualcomm.com [199.106.114.39]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 685C4120018 for <rats@ietf.org>; Thu, 28 Nov 2019 01:05:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1574931919; x=1606467919; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=lbhwSdLAghMtGnjG22B1dDjRqEsL6jrlExpbev55EJQ=; b=pESX4DVTi+Oe2Io9lEClsm6ycjwmEN68vo3DmyxfSJa4/j3fkgtLcWXk 3uBqdxXZ1E0iExEZyMxN8M4/QLFWr+TCnfLGnwUPz5qWIi3n5XEqvMYgZ FfGTq64eEQVw0hwbLIkKIauOB1Cfuh3xKbaA+eyT1RIqjikLiuB/JTqAe g=;
Received: from unknown (HELO ironmsg01-sd.qualcomm.com) ([10.53.140.141]) by alexa-out-sd-02.qualcomm.com with ESMTP; 28 Nov 2019 01:05:18 -0800
IronPort-SDR: Di8+xRxR2y5ZWKKpLQzwO/0gA/YUZtRljs6tf2Z9jjP1VziLTdJJnUnQfBeDqTtYAR889/UhAM vmK2Rh2TggeXZIkx6CaFLtQcwB3r+8ShPD3sJpon5mkBObHMlhkMgc/pm0xWS2JXHeEo0vyWdn nv3sUuriR26rcVXpDZQklVsVsJnAzO6/EC9sEayjcMCUNxyPM5eb2AiPzX2ONXCeht5XRpNoPL ElCCwPQ2H/bI8SjnDoEVkyEzCH1NFeZ7coRsF7DfUySLOfQdksxoTLZ5m4thCP3/gjrbIuwwI1 hNq9UVV7UzceZ4tc2NSv0bxH
Received: from nasanexm03b.na.qualcomm.com ([10.85.0.98]) by ironmsg01-sd.qualcomm.com with ESMTP/TLS/AES256-SHA; 28 Nov 2019 01:05:17 -0800
Received: from nasanexm03e.na.qualcomm.com (10.85.0.48) by nasanexm03b.na.qualcomm.com (10.85.0.98) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Nov 2019 01:05:17 -0800
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (199.106.107.6) by nasanexm03e.na.qualcomm.com (10.85.0.48) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 28 Nov 2019 01:05:17 -0800
Received: from CY4PR0201MB3588.namprd02.prod.outlook.com (52.132.102.25) by CY4PR0201MB3506.namprd02.prod.outlook.com (52.132.103.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18; Thu, 28 Nov 2019 09:05:15 +0000
Received: from CY4PR0201MB3588.namprd02.prod.outlook.com ([fe80::2812:5ab:15e1:2bab]) by CY4PR0201MB3588.namprd02.prod.outlook.com ([fe80::2812:5ab:15e1:2bab%7]) with mapi id 15.20.2495.014; Thu, 28 Nov 2019 09:05:15 +0000
From: Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] [EXTERNAL] Re: EAT IANA registry
Thread-Index: AQHVpNGJhqP84R6bSUa61Omb+WpqIaeeb6WAgAC8WwCAAFbcgIAABmQAgACSwYCAAEEEgA==
Date: Thu, 28 Nov 2019 09:05:15 +0000
Message-ID: <EDF46007-B597-4048-8B77-1A4686A60C94@qti.qualcomm.com>
References: <D2CF9D31-057E-4B47-A3D0-08BBBF997F47@gmail.com> <VI1PR08MB53605A2A2E61E6EAE2609FECFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <09C4F36B-C9CE-44DF-9DF8-F3365A7E3053@gmail.com> <53C13986-A523-4349-BDC3-F8ACC2BCFD29@island-resort.com> <DM6PR00MB05697456BC04AC34B156850DF54B0@DM6PR00MB0569.namprd00.prod.outlook.com> <20191127031910.GF32847@mit.edu> <CFF55BD3-66F8-485A-9AF5-1DD38B5F444C@island-resort.com> <ECA98A18-0E4B-4C51-AFE4-FB84E61AC809@gmail.com> <MN2PR00MB057424C20F7549E74C4590B8F5440@MN2PR00MB0574.namprd00.prod.outlook.com> <28117100-32D0-40D2-81B8-89D1345B34FF@gmail.com> <7997E9C5-AC5E-4092-B556-0002DAD2B274@island-resort.com>
In-Reply-To: <7997E9C5-AC5E-4092-B556-0002DAD2B274@island-resort.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jodonogh@qti.qualcomm.com;
x-originating-ip: [212.136.9.12]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 015ec26f-7162-4bba-d170-08d773e2159b
x-ms-traffictypediagnostic: CY4PR0201MB3506:
x-microsoft-antispam-prvs: <CY4PR0201MB350672B159BF0716D733C515F2470@CY4PR0201MB3506.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2089;
x-forefront-prvs: 0235CBE7D0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(39860400002)(376002)(346002)(136003)(189003)(199004)(54094003)(81166006)(6512007)(236005)(6306002)(6506007)(53546011)(102836004)(229853002)(54896002)(316002)(6246003)(86362001)(26005)(33656002)(76176011)(6486002)(6116002)(561944003)(2501003)(99286004)(3846002)(6436002)(66066001)(966005)(14454004)(606006)(478600001)(76116006)(2906002)(71190400001)(25786009)(58126008)(256004)(66476007)(45080400002)(71200400001)(5640700003)(11346002)(186003)(446003)(2616005)(6916009)(66446008)(64756008)(81156014)(66946007)(5660300002)(8936002)(1730700003)(8676002)(7736002)(14444005)(66556008)(91956017)(2351001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR0201MB3506; H:CY4PR0201MB3588.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YJ/E+d9zThUSrqv2yVBCiyvPSpfO5m5oAphZ9ZZ/w+EgJsW3CMURVMQsfXVdqGl4u6Oh/stw/wBxhkouCmR6EGiB7iWVfXluAgaW95J6uVkYHwX/HyBEVmAHCy3+sIIpSnRngzN7w3NGMNHfKr7mfSnB86WpmOrRgRekM8Z4PcA3hhTV4Hch3mjwjQCnolzlx5Im/w0GukJB+SlCTjDbVn6B9Atmd9zYw74wN6++6NNZvWkoL0Am5fPtU7YEAM0BANyioVCu7BavqMWSESyzs4k2KALFZSOdmOhj2QT9krXcLLxDKTRv3g3li8f0rb0ygQ0QuDAMA8xI0vgCUOl/2LR9ZoI9I0uMZJJW8YYGfj7n1EL5jNYfKPKmO9Iutwo9IoEBfcTJxfj+J9Ct2zoPthtSOnuUvXzlj2USwDJulvgR/ZbKJMXgjuiWic4xD27pe7qaH92mvXFiyQK560yBp2nAUARYD/sgnzrtzxmfNHs=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gmQm5W0FD1I//SVVxxutE8CkhxV2dxjrrebrLm7RybmznHDM6i3R4NISZOJ8xbXRZH9q2Fa+7POfbFIwlKQwxIeJ4Y8TFJelKPfNXVqIH3pHCZvDH0rP5VRtOgf1IJpt4FA2hqDfWDyn6OstbfmOXkMy1lUjH+AFDx8ridNxRW00+RmYzZrd/9CnIpruRlb19tNUsGOwvwt3NNWWqzuH201IIboNwCzyswRAZ9IRC9UKlEDyQ5b0Z42TP+V7NyGSdLJ1zoYHn/Jtarn8NkSn/qqW5aWheHR/2i7bOpvaKljLjpUh7MEplZjjn/MbbqFA7k8b3NmTN0jR27ZcjoF/Fw==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oVxvJ2CsKH1NH6fINIkseFatRwr/uneckFoAW9H+4gI=; b=Lp2B8q+QPIIy/DUaeZ2Zf2BO1j8r/Hbh0cUNnydr7NN+EdHXQMH0gRGZQJx/z1WU2/quDVWefF/phBRkV+CzcUQ2pt8/EBO0wOXfbzWXH6IreDsWH3orBXnLNpgrE4XHYaMotmhyMJbLX2/dt+Ks33uMFt777+TAYhbupPVeQM9BvqLry9U6GJ7i1d0vcVKeg/jnUHTGl5RggdDk3KIIgLM4rhGnJt6dno0AWn8ny2v8Vm8Uaila2SpDpDqtMvsT12oleMYexfMtfzbOpq/IC0HMb0UNfHCVtHXZ3bvadZzAh5qdeaP9LP5pxovuzhJRobYz8FuNMDFr6ZAq8ARVYw==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=qti.qualcomm.com; dmarc=pass action=none header.from=qti.qualcomm.com; dkim=pass header.d=qti.qualcomm.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.onmicrosoft.com; s=selector1-qualcomm-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oVxvJ2CsKH1NH6fINIkseFatRwr/uneckFoAW9H+4gI=; b=BNEqMFSFSgDVTz4CIHZCsMeUvYyD5apNQZ2/6q7uXMapQMQ8n1jmYhf1ghqDvTaAiGqkrNvP8kV4PFHEFR/2PEr2vl19bqLSOnYAOk03yIHkINPMll8tbEFMWvNng8iMKA/Z2GXpttT0xFb4rqM8eUOjntUXEv2uxiK1nNy+g5E=
x-ms-exchange-crosstenant-network-message-id: 015ec26f-7162-4bba-d170-08d773e2159b
x-ms-exchange-crosstenant-originalarrivaltime: 28 Nov 2019 09:05:15.7211 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 98e9ba89-e1a1-4e38-9007-8bdabc25de1d
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: UA1T7m64S3Kn27d8Y+SCG067ua2bR/24SW4CVkm/gzI4Pbtuh0xoStyh1rRP+bHtfAiKRkYZ8a2qGVtLzrKhO/Aa/W50RjoXSTkXeJhg9XM=
x-ms-exchange-transport-crosstenantheadersstamped: CY4PR0201MB3506
x-originatororg: qti.qualcomm.com
Content-Type: multipart/alternative; boundary="_000_EDF46007B59740488B771A4686A60C94qtiqualcommcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/4wmp2x-ftRLCLj6x9vd2FIu4L60>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 09:05:22 -0000

I can confirm that GlobalPlatform is working on EAT claims related to the technologies it standardises: TEE and Secure Element in particular. As with FIDO, there will be GlobalPlatform-specific documents published outside the IETF specifying how these are used.

From the perspective of other bodies wishing to adopt EAT in their specific use-cases in an interoperable way, a single IANA registry would be easier to manage than registering what are essentially the same claims in JWT and CWT registries separately.

I am probably asking a stupid question, but is there no mechanism by which CWT and JWT claims can be merged in a single registry? It seems to me that CWT and JWT support the same use-cases, and everyone would benefit by having properly interoperable standardized claims for both (would make e.g. conversion between JSON and CBOR representations of the same claim trivial). Such approach would address virtually all arguments for having separate registries for any use-case. I accept that this would be contentious and take time, but it seems a very worthy goal.

Jeremy

On 28/11/2019, 06:13, "RATS on behalf of Laurence Lundblade" <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org> on behalf of lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:


CAUTION: This email originated from outside of the organization.
A separate EAT registry doesn’t seem like it will solve the issues being brought up.

You’re still going to have the problem of people registering all sorts of things like they have for JWT unless you put in place some more stringent rules about expert review and such. JWT already the most stringent qualification common in the IETF for a new claim short of standards action. (CWT seems not to be widely used yet so it has less than 10 claims, most of which overlap with EAT.)

You’re still going to have very specific things like the foobar-transaction that are not general purpose. A separate EAT registry doesn’t solve that.

Some sort of profile / context seems highly likely to be necessary to narrow EAT when applied to specific use cases. That seems to be the place to address these concerns. Here’s some profiles I can imagine.
   - FIDO Alliance defines how EAT is integrated into FIDO with a FIDO-specific document, probably published outside the IETF
   - Android keystore documentation says how EAT fields apply to Android attestation
   - ARM and Qualcomm have already published their PSA attestation as IETF drafts
   - I hear rumors that Global Platform might have their TEE-related set

LL



On Nov 27, 2019, at 1:27 PM, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote:

Hi Mike,

To me this is a perfect counter-example: it is so generic as to be non-reusable. When used in an attestation, the verifier will want to have well defined syntax and semantics for what is attested, in this case a certain transaction. Here we don’t know what kind of a transaction this is (semantics) and how to interpret the transaction identifier (syntax).

If some particular environment wants to define claims for a particular, private kind of transaction, let’s make it easy for them to define their own, very specific foobar-transaction.

Thanks,
                Yaron

From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Date: Wednesday, November 27, 2019 at 23:04
To: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>, Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>
Cc: "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Subject: RE: [Rats] [EXTERNAL] Re: EAT IANA registry

The point of having a common JWT Claims registry is to enable future specifications to benefit from reusing applicable claims registered by past specifications.  For instance, the Security Event Token [RFC 8417<https://tools.ietf.org/html/rfc8417>] specification recently registered this general-purpose claim:
   o  Claim Name: "txn"
   o  Claim Description: Transaction Identifier
   o  Change Controller: IESG
   o  Specification Document(s): Section 2.2 of [RFC8417]<https://tools.ietf.org/html/rfc8417#section-2.2>

That made it available to EAT and other future specifications using JWTs.  If it had instead put it into its own registry, the potential for reuse would have been lost.

Let’s likewise let future specs benefit from EAT-defined claims by putting them in the normal IANA JWT Claims registry.

                                                       -- Mike

From: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>
Sent: Wednesday, November 27, 2019 7:54 AM
To: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>; Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>
Cc: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; rats@ietf.org<mailto:rats@ietf.org>; Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry

To put it into perspective, there are already 57 claims registered [1]. So even if 7 claims overlap, this is a relatively *small* number. IMO there is high value in a separate namespace for EAT claims, and the standard way to create such a namespace in JSON is exactly as Ben is proposing.

Thanks,
                Yaron

[1] https://www.iana.org/assignments/jwt/jwt.xhtml

From: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Date: Wednesday, November 27, 2019 at 06:39
To: Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>>, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry


On Nov 26, 2019, at 7:19 PM, Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>> wrote:

...but I'm not sure that "avoiding duplicates"
would apply to a proposal that makes a single JWT/CWT claim for "EAT data"
and puts the attestation claims in a map as the value for that "EAT data"
claim.  What existing JWT/CWT claims would duplicate the potential contents
of the EAT data fields?

That is an interesting thought — put all of EAT into one JWT/CWT claim that is a map. Other’s have mentioned it to me. It would let EAT re use the most compact integer CBOR integer labels.

Right now we re use the following claims from JWT or CWT by normative reference:
- nonce
- Token ID cti/jti
- Time stamp (iat)

Also these JWT or CWT seem either likely or possible use in EAT:
- cnf (proof of possession of key)
- iss Issuer
- expiration
- not before

That’s a fairly large overlap which makes me disinclined to putting all of EAT into one map that is one JWT/CWT claim, separating EAT claims from CWT/JWT claims.

I’m no OAuth expert, but I wonder if some of the EAT claims might be useful for other than EAT tokens, another reason not to keep them separate.

I suspect we’re going to find at least one more use for a signed map of label-value pairs in the next few years that would be able to re use at least some of these claims — another reason to keep them in the same space.

LL






_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email